gh0strat | ef1eb02db647526bafb247caa3facbc135f9e3de716d37f51a4d70903afad657

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
Size

3.1MB
MD5

6962d4a9cea22514b7b0ac789290cdc3
SHA1

427053f5e0617ddc96e4969afdf91c9d86966e44
SHA256

ef1eb02db647526bafb247caa3facbc135f9e3de716d37f51a4d70903afad657
SHA512

056c3fe88700aa3aba4d6054173d366938a6c75a723f80f9af71a5af32043ff8012c174d00498db21a396919eb0a2c64917c479ed37d992d6a0052426a7334b6
SSDEEP

49152:g09XJt4HIN2H2tFvduySthF0J1HiHg6RUFEMusQn5r422rTm21:lZJt4HINy2LkuJ1KUFEMu5y23S

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2688-13-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2688-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2688-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2564-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-73-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2688-13-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2688-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2688-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2564-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-73-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

pid	Process
2688	RVN.exe
2564	TXPlatforn.exe
2668	TXPlatforn.exe
2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe

Loads dropped DLL 4 IoCs

pid	Process
2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
2564	TXPlatforn.exe
2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2688-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2688-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2688-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2564-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-73-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2704	cmd.exe
796	PING.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433509285"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2EFA0A71-7BF4-11EF-91A4-527E38F5B48B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
796	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2668	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2688	RVN.exe
Token: SeLoadDriverPrivilege	2668	TXPlatforn.exe
Token: 33	2668	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2668	TXPlatforn.exe
Token: 33	2668	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2668	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1068	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2796 wrote to memory of 2688	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	30
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2564 wrote to memory of 2668	2564	TXPlatforn.exe	32
PID 2688 wrote to memory of 2704	2688	RVN.exe	33
PID 2688 wrote to memory of 2704	2688	RVN.exe	33
PID 2688 wrote to memory of 2704	2688	RVN.exe	33
PID 2688 wrote to memory of 2704	2688	RVN.exe	33
PID 2796 wrote to memory of 2936	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	35
PID 2796 wrote to memory of 2936	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	35
PID 2796 wrote to memory of 2936	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	35
PID 2796 wrote to memory of 2936	2796	2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	35
PID 2704 wrote to memory of 796	2704	cmd.exe	36
PID 2704 wrote to memory of 796	2704	cmd.exe	36
PID 2704 wrote to memory of 796	2704	cmd.exe	36
PID 2704 wrote to memory of 796	2704	cmd.exe	36
PID 2936 wrote to memory of 2428	2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	37
PID 2936 wrote to memory of 2428	2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	37
PID 2936 wrote to memory of 2428	2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	37
PID 2936 wrote to memory of 2428	2936	HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe	37
PID 2428 wrote to memory of 1068	2428	iexplore.exe	38
PID 2428 wrote to memory of 1068	2428	iexplore.exe	38
PID 2428 wrote to memory of 1068	2428	iexplore.exe	38
PID 2428 wrote to memory of 1068	2428	iexplore.exe	38
PID 1068 wrote to memory of 2828	1068	IEXPLORE.EXE	39
PID 1068 wrote to memory of 2828	1068	IEXPLORE.EXE	39
PID 1068 wrote to memory of 2828	1068	IEXPLORE.EXE	39
PID 1068 wrote to memory of 2828	1068	IEXPLORE.EXE	39

C:\Users\Admin\AppData\Local\Temp\2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:796
- C:\Users\Admin\AppData\Local\Temp\HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2828

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e4a06134371a693a2c184e9c126cb4e

SHA1
8cd44cb58aab68ef620eef1a035321fb85781240

SHA256
6bdd14c917b79587df7b23a745c83b59ad5b3040f3fcbcd2b7f76303ef894e51

SHA512
875c73acbff8a34c9c259dc8fb247499246fad88d1cb92bb21007601f33997305221eaafd2c78f3bc1af29330f43f15ebda85b5737d62ff6163aff73e88eb307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd78baee480ca0e2b809aab8bfc06431

SHA1
f3b838325679ff0821c42af46b21bb93ca00d976

SHA256
bd280bd5332ae2f3edfbfe24d3ff25d62a09aa44b5f119e756d882f3f7d1aa99

SHA512
5908adc72b134a53fcaa74ee6a4b7f0f2be79c4eb673e0a2ddeb7a91d0521e5b6e75c544222d3c06405f8e8d51cf0da7c0a29021e68b0c90ea397786c59ef527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d21f6f5a30ada5eec31c435336e58d16

SHA1
d96af87aab4db71ea4c901155a4f07d570f611bc

SHA256
df87c7999f1bb571eb453b0430897e990ee61c2cd9abf1a6bc35927428dc30b0

SHA512
14542ea3d808126a1f4a58010f0fe38742a203d12873596256dd9f002e99ad1c3f41f6b5658d4bc9fe1493fc8f75934547cc4744fca65d7c1db6afbf5b18cb03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab4ef783665b7101cc5c14a2fc214e7

SHA1
d44402a2f096174a04cd5229bd7ca63cf5d5ebae

SHA256
f9b8d77c62bab0095ddcf206b85e7a4bd03c34896387b55db4de199665ae9295

SHA512
53905763478242e9df81bfb40945b0dd6314eaee450a030f226d6a5bfd59a766e5e1915b4a0b75f650aeb7c80d0cc296a9a431d07ed6865013347336bf536fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed819d365f465bd122d2c85744f3038

SHA1
84af0c4a3b25e48d9890fefb997752cd5763aaeb

SHA256
f4f190fc87855f04e71ac8a7149f9b807de53ed6667c7abd88217c5ccad488c9

SHA512
5dc11bc9de59caa9aae47cdae00c5f09cc91726327233f129d69fc215e0f2d0ee3c7d90fc65a7154b8f2b7d751ebbe3d6d4fd2f47e10267f0b383561920c5997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
701389176543613e9482597ff88a2d4b

SHA1
93fb871f53f059e77d8aaf9701888811761a58d7

SHA256
ae4275f462931fff5b01fc51175e0ebd8c0a4ffa8880161b2648fc15bb9b8cf6

SHA512
799d45d8c5e0ee3f3721609b62405dd542ec605a2e6727d1f23d2c74fdd41deda71d00eada256da1209d63fc0840c5a0c86e95219bcdb9d7a0b04a5d965d2660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d07559afdccc6a9823fdb9f67a92ef5

SHA1
eab317ad5f7c40cc24d5afa0056b4237a9decb47

SHA256
c3e42d5824f44b4321ad911f91bdd8166fa7aaaa8811ed7dadfa430d853ed317

SHA512
45309a571708a96906fc53fad9d0a8c86c3c05cb8df40b1df4acd902820c04741bc33c12be8018ba7be2c49dab6fcaf418c1bb36546fd0530bf3a5d390217037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f959003379147f3acc9a06c1d7fd0b1

SHA1
62b2504cf84dad5ab48d358a306337237b91a5db

SHA256
ac3dff850945f000a260f3f7396e3a67610033a3f77dde8ff7760140e41d45b0

SHA512
cf4ddce723cf615010d2eb7d67f404d417f6431252a4bd16d211c316edb3d410dfad8ef8d0b7fde6f8e3945b21efc98c1666a5e6cbc96fb7e04c0ebe52b18077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7321413483efab88dc17b020545c558f

SHA1
34a57cd6a9d47eb7030089a078730bf0db9c83e8

SHA256
e3cc861bae01a8ad2e07f4edf3365c330db01a9a1921448968839032e3944a6f

SHA512
c26a1b09b89c4163c2150184fca58e7d6e51ab3e9fadf564717839941ebdd71fb75a0edf8bb0d34e1eea2c17b19c90a9abf4ad445b84615bb99dbfd8fe4bb6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5CD2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_2024-09-26_6962d4a9cea22514b7b0ac789290cdc3_hijackloader_icedid.exe

Filesize
2.0MB

MD5
8ccd883ea64fe957d70f301162be652b

SHA1
8bf16a638921ad62b701bbdafce86aac240e869b

SHA256
0e84989a929d53e468fa86047978b9947abfdb694e197d067468e679608384fb

SHA512
bf22b1a6af4f9219ea7cddc9c138821835620f477201b992635ac237fa75aeba4ea28a5806dd3cd1c4d52d98a05e7a4b53f4039dd4b518b5cf93284ecdf35938

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
5c614bd0a03b71cbbc3d9eb8a5ab3881

SHA1
f3baa48aa6b802b3631666274578e6e8f9f3ffa9

SHA256
fa086c8ed0d69d4d5836ffe2f0abb0b020de24be794a6c98c48198367c16badd

SHA512
0debafa20885161098dc97641bf56e941df88246c7b82c390b01742cfa2a25c3193cc735301ed17129148865a9ac478300940d30c5e5e8eb16be80207f479f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D90.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2564-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2564-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-73-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2688-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2688-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2688-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2688-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2796-0-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2796-519-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download